Options page You can enable and disable the Firewall module, configure protection options, and define networks and trusted executables to use in rules and groups. Note: Host Intrusion Prevention 8.0 can be installed on the same system as Endpoint Security version 10.6. If McAfee Host IPS Firewall is installed and enabled, Endpoint Security Firewall is disabled even if enabled in the settings. Option definitions Section Option Definition Firewall Enable Firewall Enables and disables the Firewall module. (Enabled by default) Protection Options (Windows only) Allow traffic for unsupported protocols Allows all traffic that uses unsupported protocols. When disabled, all traffic using unsupported protocols is blocked. (Disabled by default) Allow only outgoing traffic until firewall services have started Allows outgoing traffic but no incoming traffic until the Firewall service starts on the client system. Caution: If this option is disabled, Firewall allows all traffic before services are started, potentially leaving the system vulnerable. Allow bridged traffic Allows: Incoming packets if the destination MAC address is in the supported VM MAC address range and is not a local MAC address on the system. Outgoing packets if the source MAC address is in the supported MAC address range and is not a local MAC address on the system. (Disabled by default) Enable firewall intrusion alerts Displays alerts automatically when Firewall detects a potential attack. (Enabled by default) DNS Blocking (Windows & macOS only) Domain name Defines domain names to block. When applied, this setting adds a rule near the top of the firewall rules that blocks connections to the IP addresses resolving to the domain names. Add — Adds a domain name to the blocked list. Separate multiple domains with a comma (,) or a carriage return. You can use the * and ? wildcards. For example, *domain.com. Duplicate entries are removed automatically. Edit — Changes the selected item. Delete — Removes the selected domain name from the blocked list. Clear All — Removes all domain names from the blocked list. Advanced options Section Option Definition Tuning Options Enable Adaptive mode Creates rules automatically to allow traffic. (Disabled by default) Best practice: Enable Adaptive mode temporarily on a few systems only while tuning Firewall. Enabling this mode might generate many client rules, which the McAfee ePO server must process, negatively affecting performance. Disable McAfee core networking rules (Windows only) Disables the built-in McAfee networking rules (in the McAfee core networking rule group). (Disabled by default) Caution: Enabling this option might disrupt network communications on the client system. Retain existing user-added rules and Adaptive mode rules when this policy is enforced Retains rules created on the client system: Automatically with Adaptive mode Manually on a client system Select this option to prevent client-added rules from being removed when the policy is enforced from McAfee ePO. (Enabled by default) Log all blocked traffic (Windows only) Logs all blocked traffic to the Firewall event log (FirewallEventMonitor.log) on the client system. (Enabled by default) Log all allowed traffic (Windows only) Logs all allowed traffic to the Firewall event log (FirewallEventMonitor.log) on the client system. (Disabled by default) Caution: Enabling this option might negatively affect performance. McAfee GTI Network Reputation (Windows only) Treat McAfee GTI match as intrusion Treats traffic that matches the McAfee GTI block threshold setting as an intrusion and displays an alert. Any IP address for a trusted network is excluded from McAfee GTI lookup. (Enabled by default) Log matching traffic Treats traffic that matches the McAfee GTI block threshold setting as a detection and displays an event in the Event Log on the Endpoint Security Client. Firewall also sends an event to McAfee ePO. (Enabled by default) Any IP address for a trusted network is excluded from McAfee GTI lookup. Block all untrusted executables Blocks network activity from all executables that are not signed or have a malicious reputation. (Disabled by default) Best practice: To allow a trusted unsigned executable, add it to Trusted Executables list. Incoming network-reputation threshold Outgoing network-reputation threshold Specifies the McAfee GTI rating threshold for blocking incoming or outgoing traffic from a network connection. Do not block (Default) — This site is a legitimate source or destination of content/traffic. High Risk — This source/destination sends or hosts potentially malicious content/traffic that McAfee considers risky. Medium Risk — This source/destination shows behavior that McAfee considers suspicious. Any content/traffic from the site requires special scrutiny. Unverified — This site appears to be a legitimate source or destination of content/traffic, but also displays properties suggesting that further inspection is needed. If McAfee GTI ratings server is not reachable Specifies whether to block or allow traffic by default if McAfee GTI is not available: Block traffic (Default) — Blocks all traffic if Firewall can't reach the McAfee GTI server. Allow traffic unless specifically blocked by rules — Allows all traffic unless specifically blocked by a firewall rule. Stateful Firewall Use FTP protocol inspection Allows FTP connections to be tracked so that they require only one firewall rule for outgoing FTP client traffic and incoming FTP server traffic. If not selected, FTP connections require a separate rule for incoming FTP client traffic and outgoing FTP server traffic. (Enabled by default) Number of seconds (1-240) before TCP connections time out Specifies the time, in seconds, that an unestablished TCP connection remains active if no more packets matching the connection are sent or received. The default number is 30. The valid range is 1–240. Number of seconds (1-300) before UDP and ICMP echo virtual connections time out Specifies the number of seconds that a UDP or ICMP Echo virtual connection remains active if it receives or sends no more packets that match the connection. This option resets to its configured value every time a packet that matches the virtual connection is sent or received. The default number is 30. The valid range is 1–300. Firewall Status Control (Windows only) Allow users to disable Firewall from the McAfee system tray icon Specifies that the user can disable and enable Firewall from the McAfee system tray icon instead of using the schedule. Select this option to display the Disable Endpoint Security Firewall menu option under Quick Settings in the McAfee system tray icon. When Firewall is disabled, the option is Enable Endpoint Security Firewall. (Disabled by default) Retain user-disabled Firewall status when this policy is enforced Retains the Firewall disabled status set on the client system. Select this option to prevent the Firewall enabled status in the policy from replacing the Firewall status set on the client when the policy is enforced from McAfee ePO. (Disabled by default) Require justification from users when managing Firewall from the McAfee system tray icon Requires that the user enter a reason when managing Firewall from the McAfee system tray icon. Select this option to prompt the user for a reason before allowing them to disable Firewall or enable timed groups. (Disabled by default) Defined Networks Defines network addresses, subnets, or ranges to use in rules and groups or defines networks as trusted. Add Defined Network or + — Adds a network address, subnet, or range to the defined networks list. Click Add Defined Network, then complete the fields to define the network. Click + to define subsequent networks. - — Deletes the selected address from the defined networks list. Address type Specifies the address type of the network to define. Address Specifies the address of the network to define. Trusted — Defines the network as trusted. Firewall allows all traffic to and from trusted networks. Not trusted — Defines the network for use in rules and groups. You can use networks defined as not trusted for the local or remote network criteria in a rule or group. Defining a network as not trusted adds those networks as exceptions to McAfee GTI rules in Firewall. Tip: Best practice: To control traffic to Defined Networks that aren't trusted, associate them with firewall rules or groups. Trusted Executables (Windows only) Specifies executables that are safe in any environment and have no known vulnerabilities. These executables are allowed to perform all operations except operations that suggest that the executables have been compromised. Configuring a trusted executable creates a bi-directional Allow rule for that executable at the top of the Firewall rules list. Add — Adds a trusted executable. Actions — Edit — Changes the selected item. Delete — Removes the executable from the trusted list. Related referenceExecutable pageAddress type
Options page You can enable and disable the Firewall module, configure protection options, and define networks and trusted executables to use in rules and groups. Note: Host Intrusion Prevention 8.0 can be installed on the same system as Endpoint Security version 10.6. If McAfee Host IPS Firewall is installed and enabled, Endpoint Security Firewall is disabled even if enabled in the settings. Option definitions Section Option Definition Firewall Enable Firewall Enables and disables the Firewall module. (Enabled by default) Protection Options (Windows only) Allow traffic for unsupported protocols Allows all traffic that uses unsupported protocols. When disabled, all traffic using unsupported protocols is blocked. (Disabled by default) Allow only outgoing traffic until firewall services have started Allows outgoing traffic but no incoming traffic until the Firewall service starts on the client system. Caution: If this option is disabled, Firewall allows all traffic before services are started, potentially leaving the system vulnerable. Allow bridged traffic Allows: Incoming packets if the destination MAC address is in the supported VM MAC address range and is not a local MAC address on the system. Outgoing packets if the source MAC address is in the supported MAC address range and is not a local MAC address on the system. (Disabled by default) Enable firewall intrusion alerts Displays alerts automatically when Firewall detects a potential attack. (Enabled by default) DNS Blocking (Windows & macOS only) Domain name Defines domain names to block. When applied, this setting adds a rule near the top of the firewall rules that blocks connections to the IP addresses resolving to the domain names. Add — Adds a domain name to the blocked list. Separate multiple domains with a comma (,) or a carriage return. You can use the * and ? wildcards. For example, *domain.com. Duplicate entries are removed automatically. Edit — Changes the selected item. Delete — Removes the selected domain name from the blocked list. Clear All — Removes all domain names from the blocked list. Advanced options Section Option Definition Tuning Options Enable Adaptive mode Creates rules automatically to allow traffic. (Disabled by default) Best practice: Enable Adaptive mode temporarily on a few systems only while tuning Firewall. Enabling this mode might generate many client rules, which the McAfee ePO server must process, negatively affecting performance. Disable McAfee core networking rules (Windows only) Disables the built-in McAfee networking rules (in the McAfee core networking rule group). (Disabled by default) Caution: Enabling this option might disrupt network communications on the client system. Retain existing user-added rules and Adaptive mode rules when this policy is enforced Retains rules created on the client system: Automatically with Adaptive mode Manually on a client system Select this option to prevent client-added rules from being removed when the policy is enforced from McAfee ePO. (Enabled by default) Log all blocked traffic (Windows only) Logs all blocked traffic to the Firewall event log (FirewallEventMonitor.log) on the client system. (Enabled by default) Log all allowed traffic (Windows only) Logs all allowed traffic to the Firewall event log (FirewallEventMonitor.log) on the client system. (Disabled by default) Caution: Enabling this option might negatively affect performance. McAfee GTI Network Reputation (Windows only) Treat McAfee GTI match as intrusion Treats traffic that matches the McAfee GTI block threshold setting as an intrusion and displays an alert. Any IP address for a trusted network is excluded from McAfee GTI lookup. (Enabled by default) Log matching traffic Treats traffic that matches the McAfee GTI block threshold setting as a detection and displays an event in the Event Log on the Endpoint Security Client. Firewall also sends an event to McAfee ePO. (Enabled by default) Any IP address for a trusted network is excluded from McAfee GTI lookup. Block all untrusted executables Blocks network activity from all executables that are not signed or have a malicious reputation. (Disabled by default) Best practice: To allow a trusted unsigned executable, add it to Trusted Executables list. Incoming network-reputation threshold Outgoing network-reputation threshold Specifies the McAfee GTI rating threshold for blocking incoming or outgoing traffic from a network connection. Do not block (Default) — This site is a legitimate source or destination of content/traffic. High Risk — This source/destination sends or hosts potentially malicious content/traffic that McAfee considers risky. Medium Risk — This source/destination shows behavior that McAfee considers suspicious. Any content/traffic from the site requires special scrutiny. Unverified — This site appears to be a legitimate source or destination of content/traffic, but also displays properties suggesting that further inspection is needed. If McAfee GTI ratings server is not reachable Specifies whether to block or allow traffic by default if McAfee GTI is not available: Block traffic (Default) — Blocks all traffic if Firewall can't reach the McAfee GTI server. Allow traffic unless specifically blocked by rules — Allows all traffic unless specifically blocked by a firewall rule. Stateful Firewall Use FTP protocol inspection Allows FTP connections to be tracked so that they require only one firewall rule for outgoing FTP client traffic and incoming FTP server traffic. If not selected, FTP connections require a separate rule for incoming FTP client traffic and outgoing FTP server traffic. (Enabled by default) Number of seconds (1-240) before TCP connections time out Specifies the time, in seconds, that an unestablished TCP connection remains active if no more packets matching the connection are sent or received. The default number is 30. The valid range is 1–240. Number of seconds (1-300) before UDP and ICMP echo virtual connections time out Specifies the number of seconds that a UDP or ICMP Echo virtual connection remains active if it receives or sends no more packets that match the connection. This option resets to its configured value every time a packet that matches the virtual connection is sent or received. The default number is 30. The valid range is 1–300. Firewall Status Control (Windows only) Allow users to disable Firewall from the McAfee system tray icon Specifies that the user can disable and enable Firewall from the McAfee system tray icon instead of using the schedule. Select this option to display the Disable Endpoint Security Firewall menu option under Quick Settings in the McAfee system tray icon. When Firewall is disabled, the option is Enable Endpoint Security Firewall. (Disabled by default) Retain user-disabled Firewall status when this policy is enforced Retains the Firewall disabled status set on the client system. Select this option to prevent the Firewall enabled status in the policy from replacing the Firewall status set on the client when the policy is enforced from McAfee ePO. (Disabled by default) Require justification from users when managing Firewall from the McAfee system tray icon Requires that the user enter a reason when managing Firewall from the McAfee system tray icon. Select this option to prompt the user for a reason before allowing them to disable Firewall or enable timed groups. (Disabled by default) Defined Networks Defines network addresses, subnets, or ranges to use in rules and groups or defines networks as trusted. Add Defined Network or + — Adds a network address, subnet, or range to the defined networks list. Click Add Defined Network, then complete the fields to define the network. Click + to define subsequent networks. - — Deletes the selected address from the defined networks list. Address type Specifies the address type of the network to define. Address Specifies the address of the network to define. Trusted — Defines the network as trusted. Firewall allows all traffic to and from trusted networks. Not trusted — Defines the network for use in rules and groups. You can use networks defined as not trusted for the local or remote network criteria in a rule or group. Defining a network as not trusted adds those networks as exceptions to McAfee GTI rules in Firewall. Tip: Best practice: To control traffic to Defined Networks that aren't trusted, associate them with firewall rules or groups. Trusted Executables (Windows only) Specifies executables that are safe in any environment and have no known vulnerabilities. These executables are allowed to perform all operations except operations that suggest that the executables have been compromised. Configuring a trusted executable creates a bi-directional Allow rule for that executable at the top of the Firewall rules list. Add — Adds a trusted executable. Actions — Edit — Changes the selected item. Delete — Removes the executable from the trusted list. Related referenceExecutable pageAddress type